[Soot-list] [Android][FlowDroid][SPARK] A question about the precision of taint analysis in Flowdroid (and possible false negatives in spark)

Sumaya Abdullah A Almanee salmanee at uci.edu
Wed Apr 10 18:34:49 EDT 2019 

Im currently using FlowDroid to simply track taint propagations between
certain sources and sinks. since I'm performing a separate analysis on some
native libraries of Android apks, I've decided to leverage FlowDroid to
track any taints passed/leaked from the *dalvik*-side to the *native-*side.
The way I configured the Source_Sink files is by first examining the
reachable functions in the call graph generated by FlowDroid (using spark)
and then marking these reachable functions as follow: any native function
is marked as _SINK_ and everything else as _SOURCE_.

I obtained some initial results. A small snippet of these results is shown
below: (The results highlighted in yellow are the ones that Im mainly
interested in)

[image: Screen Shot 2019-04-10 at 3.04.27 PM.png]

Based on the way I constructed the sources and sinks config file I was
expecting more leaks to be reported. If I understand correctly these
results might contain *false positives* for example in the case of arrays
or collections (due to over-approximations). However, FlowDroid is unlikely
to miss any leaks (low *false negatives* rate). Is this correct? What I'm
trying to figure out here is:
1) An estimate of false positives or false negatives in FlowDroid's
reported leaks.
2) Possible reasons why some leaks might be missing (false negatives)?
3) Since FlowDroid is relaying on the call graph for reporting taints (in
this case SPARK) and since the absence of a node in the graph might result
also in missing reported leaks. I was wondering is there's also an estimate
of false negatives in Sprak?

I really appreciate your time and help with this!

Best,
Sumaya
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20190410/b790bc05/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2019-04-10 at 3.04.27 PM.png
Type: image/png
Size: 634418 bytes
Desc: not available
URL: <https://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20190410/b790bc05/attachment-0001.png>

More information about the Soot-list mailing list